In 2019, an unprecedented number of US governments, healthcare providers and educational establishments were impacted by ransomware, with at least 966 entities being successfully attacked at the cost of $7.5 billion.
Between January and April 2020, the number of successful attacks on public sector entities decreased month-over-month as the COVID-19 crisis worsened. We are, however, seeing a reversal in that trend with the number of incidents now starting to increase. This may be due to the lifting of restrictions and employees returning to the workplace or simply a normal season spike.
Breakdown by month
At least 128 federal and state entities, healthcare providers and educational establishments were impacted by ransomware during Q1 and Q2.
- January – 39
- February – 38
- March – 12
- April – 10
- May – 15
- June – 14
Breakdown by sector
At least 60 government entities were impacted by ransomware during the first two quarters. The impacted entities included cities, transportation agencies, police departments and one federal agency.
- January – 19
- February – 12
- March – 7
- April – 5
- May – 8
- June – 9
At least 41 hospitals and other healthcare providers were successfully attacked during Q1 and Q2. Given that healthcare resources were already stressed due to the COVID-19 pandemic, these incidents were especially concerning.
- January – 10
- February – 16
- March – 3
- April – 3
- May – 4
- June – 5
At least 30 school districts and other educational establishments were impacted by ransomware, disrupting operations at up to 439 individual schools. Only one school district was successfully attacked between the months of May and June, with the NetWalker group being responsible for three attacks on universities.
- January – 10
- February – 12
- March – 2
- April – 2
- May – 4
- June – 0
Insights and conclusion
Academic studies and audits have repeatedly indicated that the US public sector practices cybersecurity poorly. As noted in our 2019 report, the US government must seek to bolster security across the public sector and should do so as a matter of urgency. This is especially important as ransomware incidents are no longer simply disruptive and expensive inconveniences: many are also data breaches.
Since November of last year, a steadily increasing number of groups – including DoppelPaymer, REvil/Sodinokibi and NetWalker – steal data as a precursor to encryption. If the targeted entity refuses to pay the ransom, the stolen data is published on a leak site or, in some cases, publicly auctioned.
So far this year, data has been stolen from at least five government entities and three universities, including a public research university actively engaged in COVID-19 research. Should steps not be taken to improve security immediately, data will inevitably be stolen from other entities and placed in the public domain.
Adding to the urgency is the fact that the pandemic could amplify existing security risks around the upcoming election, especially as some states have reallocated election security budgets to fund efforts related to COVID-19.
To address these risks, the US government must act decisively, and it must act now.
“2020 need not be a repeat of 2019. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.” — Fabian Wosar, CTO, Emsisoft.
Thanks and notes
In partnership with Coveware, we’re offering no-cost help to hospitals and other healthcare providers on the front lines of COVID-19 and have been impacted by ransomware. Learn more here.
We want to thank the academics, journalists, security researchers and other individuals who kindly shared information with us. Without that information, we would not have been able to help as many ransomware victims as we did. We hope the information we were able to share with them was equally useful.
This report is based on data from multiple sources, both public and non-public, and almost certainly understates the actual number of incidents. Incidents are mostly attributed to the month in which they occurred but, in a small number of cases, are attributed to the month of disclosure.